Protecting your SSH keys
Andreas Schwier | 11 Mar 2015
SSH is the de-facto standard used by system administrators to access remote systems. Often SSH is used with password based authentication, however the recommended way is to use public key authentication.
The beauty of SSH is that you don’t need a PKI to implement strong authentication when accessing your servers. Public key authentication works by placing your public key on the server, while you keep the private key on the client.
However, if you generate the private SSH key on your computer using ssh-keygen, then your private key is only protected by the password you choose. Putting the private key into a SmartCard-HSM tightens security and allows better mobility of your SSH key.
Only a few simple steps are required to activate SSH access using your SmartCard-HSM.
In order to use public key authentication with SSH, you will need to make sure that public key authentication is enabled on the server. Make sure your sshd_config in /etc/ssh contains
PubkeyAuthentication yes
First we need to generate a key pair on the SmartCard-HSM. We use the pkcs11-tool from OpenSC for this purpose:
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048
Using slot 1 with a present token (0x1)
Key pair generated:
Private Key Object; RSA
label: Private Key
ID: 60cebf8d2c08cd8c5fece99b892141e515446168
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: Private Key
ID: 60cebf8d2c08cd8c5fece99b892141e515446168
Usage: encrypt, verify, wrap
Next we need to register the SmartCard-HSM with the SSH authentication agent
$ ssh-add -s /usr/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/opensc-pkcs11.so
Your new key should be available in the agent now
$ ssh-add -l
2048 4f:9b:42:53:87:cc:53:93:14:5d:56:cc:26:f3:ea:9b /usr/local/lib/opensc-pkcs11.so (RSA)
If you are getting an error message while adding the shared object, then please make sure that ssh-agent is running (ps aux | grep agent should show ssh-agent). On newer (>=14.04) versions of Ubuntu the ssh-agent is replaced by gnome-keyring, which does not support adding PKCS#11 modules. On such systems you must disable the ssh component in gnome-keyring by adding the line
X-GNOME-Autostart-enabled=false
to /etc/xdg/autostart/gnome-keyring-ssh.desktop. After a logout, the new session should use ssh-agent instead of gnome-keyring for SSH keys.
Next the public key needs to be installed in ~/.ssh/authorized_keys on the server. This can be done with
$ ssh-copy-id tonno.mi.cardcontact.de
This appends the newly generated public key to the authorized_keys file on server (here at tonno.mi.cardcontact.de)
Now that your public key has been added, you can access the server with
$ ssh tonno.mi.cardcontact.de
Last login: Wed Mar 11 16:28:53 2015 from mozzarella.mi.cardcontact.de
To end using your private key, you just disconnect the SmartCard-HSM from the authentication agent
$ ssh-add -e /usr/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card removed: /usr/local/lib/opensc-pkcs11.so
On a different machine you will only need to register (-s = start) the SmartCard-HSM with the authentication agent. No need to copy your private SSH keys.
On Windows you can use PuTTY-CAC to open a secure shell with a remote server using a SmartCard-HSM storing your private key. A version of PuTTY-CAC is contained in the SmartCard-HSM Starterkit.
On MacOS X you will need to update the OpenSSH package, as the one supplied by Apple has a bug.
Of course you can use the key backup / restore mechanisms to take backups of the SSH key.
An interesting application of SSH using a SmartCard-HSM is to protect your GIT repository. GIT uses SSH for authentication and placing the private key in a SmartCard-HSM allows you to tight control over who gains access to the repository.
At CardContact we use this to protect the GIT repositories available to subscribers at the CardContact Developer Network. All SmartCard-HSM user can apply for a certificate to access the CDN and the public key from that certificate is automatically added to the list of authorized SSH keys.